HakTip 49 – Network monitoring in Linux with lsof

Details

You're probably familiar with ls, or "list directory contents". Similarly lsof lists Open Files and the process that opened them. Since most things in Linux are files it's capable looking at files on the disk as well as pipes, sockets and devices. This can be really useful for tracking down what process is using a resource.

For example if you run into a disk that won't unmount because it's in use lsof can help figure out what's using it.

Another example is figuring out what ports a process is using. Since I have dropbox on this machine sync'ing files I can issue lsof -i -n -P | grep dropbox

The -i tells lsof to list IP sockets. The -n keeps it from trying to resolve DNS and -P says to give us the port number.

Matt's tip is to use the options -Pnl -i4, or -i6 if you're looking for IPv6 info.

As I just mentioned the capital P gives us the port number while the lowercase n keeps lsof from converting the network numbers into host names, which speeds things up a bit. Likewise the lowercase l keeps lsof from converting the user ID number into the actual login name, which again speeds things up.

And finally the -i4 option selects internet addresses, in this case IPv4. In addition to simply IPv4 or IPv6 you can specify protocol like TCP or UDP, host names and addresses, services and ports.

Another option that you might find useful is +M which enables the reporting of portmapper registrations for local TCP or UDP ports. It just puts 'em in backets after the port number.

From the list here I can see that both Chrome and Dropbox are chatting on various ports to various places. I can see the user ID that started the process and of course the process ID. So now if I wanted to quiet things I could use the kill command to shut 'em down

So what programs, commands or scripts are rocking your world? Hit us up -- tips@hak5.org, or simply leave a comment below.

And be sure to check out our sister show, Hak5 for more great stuff just like this.